WinRAR Vulnerability (CVE-2025-31334) Enables Silent Malware Execution on Windows

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the discovery of the stealthy TCESB malware deployed by the ToddyCat group, targeting Windows systems via a DLL hijacking flaw in ESET (CVE-2024-11859) and a BYOVD technique using a vulnerable Dell driver. Also reported was the active exploitation of a zero-day privilege escalation vulnerability (CVE-2025-29824) in the Windows Common Log File System (CLFS), used in targeted ransomware campaigns by the Storm-2460 group through malicious MSBuild files and token manipulation. Additionally, sophisticated cyber-attacks have been observed targeting developers by leveraging Visual Studio Code and npm packages with obfuscated malware loaders and recruitment-themed lures linked to the Lazarus Group, facilitating data exfiltration and remote access. Researchers also uncovered a WinRAR vulnerability (CVE-2025-31334) that allows silent malware execution by bypassing Mark of the Web protections through crafted .rar archives with symbolic links. Meanwhile, a critical authentication bypass flaw (CVE-2025-31161) in CrushFTP is being actively exploited, enabling full system compromise through spoofed sessions and unauthorized admin access. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. ToddyCat Exploits ESET Flaw and Dell Driver to Deploy Stealthy TCESB Malware

A Chinese-linked threat group, ToddyCat, exploited a DLL hijacking flaw in ESET’s Command Line Scanner (CVE-2024-11859) to deploy stealthy malware dubbed TCESB. The attack abuses insecure DLL loading and a BYOVD (Bring Your Own Vulnerable Driver) tactic using Dell’s DBUtilDrv2.sys, allowing the malware to disable security monitoring at the kernel level without escalating privileges. TCESB, a modified version of EDRSandBlast, enters a loop checking for encrypted payloads to execute, enabling persistent, stealthy control. The issue affects multiple ESET products, with patches released in January 2025. Organizations are urged to update affected systems, monitor for unauthorized DLLs, block vulnerable drivers, audit driver installs, and implement least-privilege access and application whitelisting to mitigate the threat.

2. Windows CLFS Zero-Day Exploited by Ransomware Group Storm-2460

Microsoft has disclosed CVE-2025-29824, a zero-day vulnerability in the Windows Common Log File System (CLFS) driver exploited in targeted ransomware attacks. Tracked to the group Storm-2460, the flaw enabled SYSTEM-level privilege escalation through the PipeMagic malware loader. Attackers used malicious MSBuild files to deploy PipeMagic, which manipulated process tokens and injected into SYSTEM processes. Sectors hit included IT and real estate in the U.S., finance in Venezuela, and retail in Saudi Arabia. Initial access likely came via certutil fetching malware from a compromised site, followed by LSASS memory dumping and ransomware deployment. Windows 11 24H2 is immune due to enhanced privilege checks. The exploit has ties to Nokoyawa ransomware and earlier CVEs. Microsoft patched the issue in the April 2025 update. Organizations should update immediately, monitor certutil and MSBuild activity, investigate token misuse, and check for PipeMagic indicators. Compromised systems should be isolated and passwords reset.

3. North Korean APTs Target Developers with Malware via Malicious npm Packages

North Korean APT actors, likely Lazarus Group, are ramping up their attacks on the npm ecosystem through the Contagious Interview campaign. Masquerading as developer tools, malicious npm packages (downloaded over 5,600 times) are being used to deploy known malware like BeaverTail and a new Remote Access Trojan (RAT) loader. These packages use hexadecimal obfuscation and fake recruitment-themed lures to infect developer environments and exfiltrate credentials and sensitive project data. Payloads are hosted on GitHub and Bitbucket, a tactic used to evade detection and shift infrastructure. Affected packages include names like **dev-debugger-vite**, **snore-log**, and **core-pino**. Indicators of compromise span suspicious npm usernames, GitHub/Bitbucket repositories, and known C2 endpoints. Organizations should audit dependency trees, allowlist trusted packages, and monitor outbound traffic. Security teams are urged to scan for BeaverTail, track suspicious directories like eiwork_hire, and educate developers on social engineering tactics linked to fake interviews.

4. WinRAR Vulnerability (CVE-2025-31334) Enables Silent Malware Execution on Windows

A medium-severity vulnerability, CVE-2025-31334, has been discovered in WinRAR (versions prior to 7.11) that allows attackers to bypass Windows’ Mark of the Web (MotW) protections. By embedding symbolic links (symlinks) in crafted .rar files, attackers can trick users into silently executing malicious code without the usual security warning. This exploit can lead to malware installation, data theft, remote access, or even lateral movement within a network. While admin rights are required to create symlinks, the risk remains significant. The vulnerability was reported by Shimamine Taihei and coordinated by Japan’s CSIRT. WinRAR 7.11 patches the flaw by restoring MotW enforcement for symlinked executables. Organizations should update WinRAR immediately, audit older versions, restrict symlink use, and monitor archive extractions using EDR tools. Users should be educated on the risks of opening unknown archives and practice secure download habits to avoid falling victim to this stealthy attack vector.

5. CVE-2025-31161: Critical Authentication Bypass in CrushFTP Under Active Exploitation

A critical authentication bypass vulnerability in CrushFTP (CVE-2025-31161) is being actively exploited, allowing unauthenticated attackers to gain full access by impersonating valid users. Rated CVSS 9.8, the flaw lets attackers send crafted HTTP requests with fake session cookies and spoofed Authorization headers to access any account, including admin-level users. Disclosed by Outpost24 and added to CISA’s KEV catalog on April 6, federal agencies must patch by April 28, 2025. Exploits observed since April 3 include MeshAgent, AnyDesk installations, and malware deployment such as a Telegram-based bot (d3d11.dll). At least 815 instances remain vulnerable, particularly in North America and Europe, affecting sectors like marketing, retail, and semiconductors. The issue affects CrushFTP versions before 10.8.4 and 11.3.1, which should be updated immediately. Organizations must check for unauthorized accounts, unusual tools, and conduct forensic analysis if compromised. Network segmentation and credential rotation are also strongly advised.